Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-37671

[release4.16] Ingress controller related certificates' validate dates gathering

XMLWordPrintable

    • No
    • CCXDEV Sprint 121
    • 1
    • False
    • Hide

      None

      Show
      None
    • The Insights Operator now collects information about all Ingress Controller certificates (NotBefore and NotAfter dates). It aggregates it into a JSON file in the path 'aggregated/ingress_controllers_certs.json'.
    • Enhancement
    • In Progress

      This is a clone of issue OCPBUGS-35727. The following is the description of the original issue:

      Business required:

      We had a recommendation to check the certificate of the default ingress controller expiration after it has expired. From the referenced KCS, it seems that many customers(hundreds) hit this issue. So, oarribas@redhat.com suggests that if we can have a recommendation to alert customers before certificate expiration. 

      Gathering method:

      1. Gather all the ingresscontroller objects(we already gathered the default ingresscontroller) with commands: 
      oc get ingresscontrollers -n openshift-ingress-operator
      2. Gather operator auto-generated certificate's validate dates with commands:

      $ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
#### empty output here when certificate created by the operator
      $ oc get secret router-ca -n openshift-ingress-operator -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 28 00:00:00 2022 GMT
notAfter=Jan 22 23:59:59 2024 GMT

      $ oc get secret router-certs-default -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 28 00:00:00 2022 GMT
notAfter=Jan 22 23:59:59 2024 GMT

      3. Gather custom certificates' validate dates with commands:

      $ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
    defaultCertificate:
      name: [custom-cert-secret-1]

      #### for each [custom-cert-secret] above
$ oc get secret [custom-cert-secret-1] -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 28 00:00:00 2022 GMT
notAfter=Jan 22 23:59:59 2024 GMT
 

      Other Information:

      An RFE to create a cluster alert is under reveiwing: https://issues.redhat.com/browse/RFE-4269

              rh-ee-ijimeno Isaac Jimeno
              openshift-crt-jira-prow OpenShift Prow Bot
              baiyang zhou baiyang zhou
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: